Gnutella Users Warning: Beware of the Mandragore Worm!

26 Feb 2001
Virus News

Cambridge, United Kingdom, February 27, 2001 - Kaspersky Lab, an international data-security software-development company, announces the discovery of a new worm "Mandragore" spreading across the popular Gnutella file exchange network that uses the Peer-to-Peer (P2P) technology.

The opportunity for malicious code of this type to exist in a P2P network was discovered in early May 2000 by Seth MacGann, who posted the results of his research to the respected BugTraq electronic conference. Despite almost a one-year passing, not one single malicious code of this virus had been discovered "in-the-wild." Yet, in only a few days since the "Mandragore" has been discovered, Kaspersky Lab has received information pertaining to nearly 20 computers being infected by this very worm.

"Mandragore" is an EXE file written in the Assembler programming language, and 8192 bytes in size. After the infected file is executed, the worm registers itself as an active node within the Gnutella network, and intercepts all requests for files searching. If a request is detected, the worm returns a positive result, and offers a user to download the requested file even if it is not presented in the infected system. In order to disguise its malicious intentions, "Mandragore" renames its copy according to the intercepted request. For example, if a user is asked for a file containing such words as, "How to become a millionaire," then the infected system will offer to download the file, "How to become a millionaire.exe" It is important to emphasize that the worm cannot penetrate into computers that have no Gnutella-compatible software installed, such as Gnotella, BearShare, LimeWire or ToadNode.

When infecting, "Mandragore" copies itself to the Windows-startup folder under the name of "GSPOT.EXE", and applies the "system" and "hidden" attributes to this file. As a result, each time a computer boots up, the worm automatically takes control and remains in the system memory as an active process.

"This particular worm has no payload except for a minor increase of outgoing traffic and additional consumption of system resources. Mandragore's main danger is not destroying important files or unveiling confidential information, but severe damage to the reputation of a private user and companies that weren't able to repel the worm's attack. I doubt that an infection with even harmless malicious code could stimulate business growth, and attract new customers," said Denis Zenkin, Head of Corporate Communications for Kaspersky Lab.

Infection prevention and removal

To prevent the worm penetrating your computer, you should under no circumstances open EXE files of 8192 bytes in length, even those that are offered to you to download via the Gnutella network. We also recommend you use the anti-virus monitor included in the KasperskyTM Anti-Virus standard package. Checking all the files being accessed in real-time will effectively block the worm's attacking prowess, and prevent infection even if you accidentally have launched (please do not) the infected file.

In case "Mandragore" has managed to get into your computer, we advise you delete the GSPOT.EXE file from the Windows startup folder and reboot the system.

Protection against "Mandragore" has already been added to the daily update of the Kaspersky Anti-Virus virus-signatures database. More details about the worm are available at Kaspersky's Virus Encylopedia.

Kaspersky Anti-Virus can be purchased in the Kaspersky Lab online store or from a worldwide network of Kaspersky Anti-Virus distributors and resellers.

Useful links:

Ben Houston, "A P2P Virus: The "GnutellaMandragore" Virus"